[Samba] Kerberos problems with only some servers
Arne Zachlod
arne at nerdkeller.org
Thu Apr 29 12:02:13 UTC 2021
Thanks for your interest, I pasted the files below.
In the meantime I tried taking the adfs01 server out of the domain and
rejoin it, but that didn't change anything. Still the problem that my
users are unable to access the shares.
Collected config --- 2021-04-29-13:55 -----------
Hostname: adfs01
DNS Domain: int.samdom.de
FQDN: adfs01.int.samdom.de
ipaddress: 10.1.1.212
-----------
Kerberos SRV _kerberos._tcp.int.samdom.de record verified ok, sample
output:
Server: 10.1.1.215
Address: 10.1.1.215#53
_kerberos._tcp.int.samdom.de service = 0 100 88 addc12.int.samdom.de.
_kerberos._tcp.int.samdom.de service = 0 100 88 addc16.int.samdom.de.
_kerberos._tcp.int.samdom.de service = 0 100 88 addc08.int.samdom.de.
_kerberos._tcp.int.samdom.de service = 0 100 88 addc13.int.samdom.de.
Samba is running as a Unix domain member
-----------
Checking file: /etc/os-release
NAME="Ubuntu"
VERSION="16.04.7 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.7 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
-----------
This computer is running Ubuntu 16.04.7 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 52:54:00:18:cc:3c brd ff:ff:ff:ff:ff:ff
inet 10.1.1.212/24 brd 10.1.1.255 scope global ens3
inet6 fe80::5054:ff:fe18:cc3c/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
10.1.1.212 adfs01.int.samdom.de adfs01
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.1.1.215
nameserver 10.0.1.215
nameserver 10.2.1.215
search int.samdom.de
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = INT.SAMDOM.DE
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
netbios name = ADFS01
security = ADS
workgroup = SAMDOM
realm = INT.SAMDOM.DE
logfile = /var/log/samba/%m.log
log level = 1
# Default idmap config used for BUILTIN and local windows accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# idmap config for domain SAMDOM
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 10000-99999
# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
# fileshare options
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# test share
[test]
path = /srv/samba/test
read only = no
[prueflabor]
path = /srv/samba/prueflabor
read only = no
[Beratung]
path = /srv/samba/beratung
read only = no
[ilims]
path = /srv/samba/ilims
read only = no
[Qualitaetsmanagement]
path = /srv/samba/Qualitaetsmanagement
read only = no
[Geschaeftsfuehrung]
path = /srv/samba/Geschaeftsfuehrung
read only = no
[Vorlagen]
path = /srv/samba/Vorlagen
read only = no
[Service]
path = /srv/samba/Service
read only = no
[Scan-Dateien-Toshiba]
path = /srv/samba/Scan-Dateien-Toshiba
read only = no
-----------
Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
-----------
Warning, /etc/idmapd.conf does not exist
-----------
Installed packages:
ii acl 2.2.52-3
amd64 Access control list utilities
ii attr 1:2.4.47-2
amd64 Utilities for manipulating filesystem
extended attributes
ii krb5-config 2.3
all Configuration files for Kerberos Version 5
ii krb5-locales 1.13.2+dfsg-5ubuntu2.2
all Internationalization support for MIT
Kerberos
ii libacl1:amd64 2.2.52-3
amd64 Access control list shared library
ii libattr1:amd64 1:2.4.47-2
amd64 Extended attribute shared library
ii libgssapi-krb5-2:amd64 1.13.2+dfsg-5ubuntu2.2
amd64 MIT Kerberos runtime libraries - krb5
GSS-API Mechanism
ii libkrb5-26-heimdal:amd64
1.7~git20150920+dfsg-4ubuntu1.16.04.1 amd64 Heimdal
Kerberos - libraries
ii libkrb5-3:amd64 1.13.2+dfsg-5ubuntu2.2
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.13.2+dfsg-5ubuntu2.2
amd64 MIT Kerberos runtime libraries - Support
library
ii libnss-winbind:amd64
2:4.3.11+dfsg-0ubuntu0.16.04.32 amd64 Samba
nameservice integration plugins
ii libsmbclient:amd64
2:4.3.11+dfsg-0ubuntu0.16.04.32 amd64 shared
library for communication with SMB/CIFS servers
ii libwbclient0:amd64
2:4.3.11+dfsg-0ubuntu0.16.04.32 amd64 Samba
winbind client library
ii python-pylibacl 0.5.2-2build2
amd64 module for manipulating POSIX.1e ACLs
ii python-pyxattr 0.5.3-2build2
amd64 module for manipulating filesystem
extended attributes
ii python-samba
2:4.3.11+dfsg-0ubuntu0.16.04.32 amd64 Python
bindings for Samba
ii samba
2:4.3.11+dfsg-0ubuntu0.16.04.32 amd64 SMB/CIFS
file, print, and login server for Unix
ii samba-common
2:4.3.11+dfsg-0ubuntu0.16.04.32 all common
files used by both the Samba server and client
ii samba-common-bin
2:4.3.11+dfsg-0ubuntu0.16.04.32 amd64 Samba
common files used by both the server and the client
ii samba-dsdb-modules
2:4.3.11+dfsg-0ubuntu0.16.04.32 amd64 Samba
Directory Services Database
ii samba-libs:amd64
2:4.3.11+dfsg-0ubuntu0.16.04.32 amd64 Samba core
libraries
ii samba-vfs-modules
2:4.3.11+dfsg-0ubuntu0.16.04.32 amd64 Samba
Virtual FileSystem plugins
ii smbclient
2:4.3.11+dfsg-0ubuntu0.16.04.32 amd64
command-line SMB/CIFS clients for Unix
ii winbind
2:4.3.11+dfsg-0ubuntu0.16.04.32 amd64 service to
resolve user and group information from Windows NT servers
-----------
Collected config --- 2021-04-29-11:02 -----------
Hostname: addc08
DNS Domain: int.samdom.de
FQDN: addc08.int.samdom.de
ipaddress: 10.1.1.215
-----------
Kerberos SRV _kerberos._tcp.int.samdom.de record verified ok, sample
output:
Server: 10.1.1.215
Address: 10.1.1.215#53
_kerberos._tcp.int.samdom.de service = 0 100 88 addc12.int.samdom.de.
_kerberos._tcp.int.samdom.de service = 0 100 88 addc16.int.samdom.de.
_kerberos._tcp.int.samdom.de service = 0 100 88 addc08.int.samdom.de.
_kerberos._tcp.int.samdom.de service = 0 100 88 addc13.int.samdom.de.
Samba is running as an AD DC
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.9 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 52:54:00:77:6c:f9 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.215/24 brd 10.1.1.255 scope global ens3
inet6 fe80::5054:ff:fe77:6cf9/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
127.0.1.1 addc08.int.samdom.de addc08
10.1.1.215 addc08.int.samdom.de
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
domain int.samdom.de
search int.samdom.de
nameserver 10.1.1.215
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = INT.SAMDOM.DE
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd
group: files systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
workgroup = SAMDOM
realm = int.samdom.de
netbios name = ADDC08
server role = active directory domain controller
dns forwarder = 10.1.1.1
idmap_ldb:use rfc2307 = yes
server signing = Auto
allow dns updates = nonsecure
[netlogon]
path = /var/lib/samba/sysvol/int.samdom.de/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
-----------
BIND_DLZ not detected in smb.conf
-----------
Installed packages:
ii acl 2.2.53-4
amd64 access control list - utilities
ii attr 1:2.4.48-4
amd64 utilities for manipulating filesystem extended attributes
ii krb5-config 2.6
all Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3+deb10u1
all internationalization support for MIT Kerberos
ii libacl1:amd64 2.2.53-4
amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-4
amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-3+deb10u1
amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-3
amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.17-3+deb10u1
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3+deb10u1
amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.11.17+dfsg-0.1buster1
amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.11.17+dfsg-0.1buster1
amd64 Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.11.17+dfsg-0.1buster1
amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.11.17+dfsg-0.1buster1
amd64 Samba winbind client library
ii python3-samba 2:4.11.17+dfsg-0.1buster1
amd64 Python 3 bindings for Samba
ii samba 2:4.11.17+dfsg-0.1buster1
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.11.17+dfsg-0.1buster1
all common files used by both the Samba server and client
ii samba-common-bin 2:4.11.17+dfsg-0.1buster1
amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.11.17+dfsg-0.1buster1
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.11.17+dfsg-0.1buster1
amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.11.17+dfsg-0.1buster1
amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.11.17+dfsg-0.1buster1
amd64 command-line SMB/CIFS clients for Unix
ii winbind 2:4.11.17+dfsg-0.1buster1
amd64 service to resolve user and group information from Windows
NT servers
-----------
On 4/29/21 10:57 AM, L.P.H. van Belle via samba wrote:
> hmm, config look ok from what i see below,
>
> Can you run this :
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>
> And post the content, if you anonymize it, keep structures/Caps as the are.
> Like INTERNAL.REALM.TLD of WORKGROUP
>
> Im on road in few min, so im will reply later.
>
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Arne
>> Zachlod via samba
>> Verzonden: donderdag 29 april 2021 10:35
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Kerberos problems with only some servers
>>
>> Yes, time is OK:
>>
>> root at adfs01:~# date -R
>> Thu, 29 Apr 2021 10:33:37 +0200
>>
>> root at addc08:~# date -R
>> Thu, 29 Apr 2021 10:33:47 +0200
>>
>> On 4/29/21 10:29 AM, L.P.H. van Belle via samba wrote:
>>> Is time in sync?
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Arne
>>>> Zachlod via samba
>>>> Verzonden: donderdag 29 april 2021 10:08
>>>> Aan: samba
>>>> Onderwerp: [Samba] Kerberos problems with only some servers
>>>>
>>>> Hi,
>>>>
>>>> I have a weird Kerberos problem (I think) that pretty much
>>>> came over night.
>>>>
>>>> I have a domain with multiple DCs (Debian/Samba 4.11), all in
>>>> different
>>>> AD Sites. Replication works according to 'samba-tool drs showrepl'.
>>>>
>>>> In the sites I have Linux based fileservers as domain members and
>>>> Windows based clients. Somehow, it's not possible anymore
>> to log into
>>>> some of the file servers. On Windows, the Client just asks
>>>> for username
>>>> + password, and if you give both, it won't get accepted.
>>>>
>>>> On the file server, I get these log entrys:
>>>>
>>>> [2021/04/29 09:39:37.439432, 1]
>>>> ../source3/librpc/crypto/gse.c:496(gse_get_server_auth_token)
>>>> gss_accept_sec_context failed with [ Miscellaneous failure (see
>>>> text): Decrypt integrity check failed for checksum type
>>>> hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96]
>>>> [2021/04/29 09:39:37.439817, 1]
>>>> ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
>>>> SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>>>>
>>>> wbinfo -u also returns empty on the file server, but not on
>>>> any of the
>>>> DCs. I'm a bit puzzled and don't really know what to do/ how
>>>> to debug.
>>>> Has anyone any idea how to debug this situation any further?
>>>>
>>>> - Arne
>>>>
>>>> ====== krb5.conf - same on all servers
>>>>
>>>> [libdefaults]
>>>> default_realm = INT.SAMDOM.DE
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>>
>>>> ====== smb.conf fore the DC ========
>>>>
>>>> # Global parameters
>>>> [global]
>>>> workgroup = SAMDOM
>>>> realm = int.samdom.de
>>>> netbios name = ADDC08
>>>> server role = active directory domain controller
>>>> dns forwarder = 10.1.1.1
>>>> idmap_ldb:use rfc2307 = yes
>>>> server signing = Auto
>>>> allow dns updates = nonsecure
>>>>
>>>> [netlogon]
>>>> path = /var/lib/samba/sysvol/int.samdom.de/scripts
>>>> read only = No
>>>>
>>>> [sysvol]
>>>> path = /var/lib/samba/sysvol
>>>> read only = No
>>>>
>>>> ===== smb.conf on one of the FS ====
>>>>
>>>> [global]
>>>> netbios name = ADFS01
>>>> security = ADS
>>>> workgroup = SAMDOM
>>>> realm = INT.SAMDOM.DE
>>>>
>>>> logfile = /var/log/samba/%m.log
>>>> log level = 1
>>>>
>>>> idmap config *:backend = tdb
>>>> idmap config *:range = 2000-9999
>>>>
>>>> # idmap config for domain SAMDOM
>>>> idmap config SAMDOM:backend = ad
>>>> idmap config SAMDOM:schema_mode = rfc2307
>>>> idmap config SAMDOM:range = 10000-99999
>>>>
>>>> # Use settings from AD for login shell and home directory
>>>> winbind nss info = rfc2307
>>>>
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>> winbind use default domain = yes
>>>> winbind refresh tickets = yes
>>>>
>>>> kerberos method = secrets and keytab
>>>> dedicated keytab file = /etc/krb5.keytab
>>>>
>>>> # fileshare options
>>>> vfs objects = acl_xattr
>>>> map acl inherit = yes
>>>> store dos attributes = yes
>>>>
>>>> # test share
>>>>
>>>> [test]
>>>> path = /srv/samba/test
>>>> read only = no
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
>
More information about the samba
mailing list